WordPress
Monthly
Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. No public exploit identified at time of analysis, though the bug was reported by Wordfence and source code locations are publicly referenced.
Remote code execution in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows unauthenticated remote attackers to inject and execute arbitrary code on the underlying WordPress host. The CVSS 3.1 base score of 10.0 with a scope change (S:C) indicates the flaw escapes the plugin sandbox and compromises the entire WordPress installation. No public exploit has been identified at time of analysis, but the trivial attack profile (network, no auth, no UI) makes this a high-priority patching target.
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.
Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.
Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.
Unauthenticated order sabotage in WooCommerce Stripe Payment Gateway (all versions ≤10.7.0) allows any remote attacker to force pending WooCommerce orders into a 'failed' state without owning or authenticating against those orders. The root cause is a missing authorization check on the `ajax_pay_for_order()` function: the only gate is a nonce that is publicly available on any page where Express Checkout is enabled, providing no actual access control. Exploitation is trivially automatable via sequential order ID enumeration, enabling targeted disruption of an entire store's pending transactions. No public exploit has been identified at time of analysis, and no KEV listing exists, but the attack complexity is effectively zero for stores with Express Checkout active.
Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.
Unauthorized information disclosure in the WooCommerce POS WordPress plugin (versions 1.8.14 and earlier) allows remote unauthenticated attackers to access protected resources due to missing authorization checks. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis. The flaw was disclosed by Patchstack and aligns with CWE-862 (Missing Authorization), a common pattern in WordPress plugin endpoints that omit capability checks.
Reflected cross-site scripting in the WPFactory 'Min Max Step Quantity Limits Manager for WooCommerce' WordPress plugin (versions 5.2.2 and earlier) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The CVSS 3.1 score of 7.1 is elevated by a scope change (S:C), reflecting that script execution can affect the WordPress admin context, but exploitation requires user interaction (UI:R). No public exploit was identified at time of analysis and the issue is not listed in CISA KEV.
Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.
Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows any Contributor-level WordPress user to read arbitrary form submissions belonging to other users. The root cause is a missing capability check on the get_submission_content AJAX endpoint, enabling horizontal privilege escalation across all stored form entries by iterating numeric entry IDs. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is mechanically trivial for any authenticated user; sites collecting sensitive PII or business data via RTMKit forms should treat this as high operational priority despite the medium CVSS score.
SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.
Insecure Direct Object Reference in the Static Block WordPress plugin (versions ≤2.2) allows contributor-level authenticated users to read the full post_content of any post - including private, draft, and pending posts created by administrators - by embedding the [static_block_content id="X"] shortcode and triggering a preview. The shortcode handler in static-block.php calls get_post() with an attacker-supplied numeric ID and outputs the result without any post-status or capability verification. No public exploit code has been identified at time of analysis and this is not listed in CISA KEV, but the attack is low-complexity and requires only a standard contributor WordPress account.
Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.
Unauthenticated arbitrary post deletion in the Abandoned Contact Form 7 WordPress plugin (versions ≤ 2.2) allows any remote attacker to permanently erase any post, page, or custom content type from an affected site by submitting a single crafted HTTP request. The plugin's AJAX handler is registered on the `wp_ajax_nopriv_remove_abandoned` hook without capability checks or nonce validation, exposing WordPress's `wp_delete_post()` with the force-delete flag set to true to unauthenticated callers who supply any valid post ID. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the trivially automatable, zero-prerequisite attack surface makes this a high-priority remediation target for any site running the vulnerable plugin version.
Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.
Unauthenticated sensitive data exposure in the Signature Add-On for WooCommerce WordPress plugin versions 2.0 and earlier allows remote attackers to retrieve protected information without credentials over the network. Reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the issue carries a CVSS 7.5 score driven entirely by confidentiality impact. At time of analysis there is no public exploit identified and no CISA KEV listing, but the trivial attack complexity makes opportunistic scanning plausible.
Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.
Broken authentication in the Upsell Order Bump Offer for WooCommerce plugin (versions 3.1.4 and earlier) allows remote unauthenticated attackers to manipulate offer/price integrity on affected WordPress storefronts. Patchstack classifies the issue as a price manipulation vulnerability with high integrity impact, and no public exploit identified at time of analysis. The defect is reachable over the network without authentication or user interaction, making any WooCommerce store running the plugin a direct target.
Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows remote attackers to access protected functionality or data without valid credentials. The flaw is reported by Patchstack and stems from missing authorization checks (CWE-862), enabling unauthenticated retrieval or manipulation of resources that should be gated behind authentication. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Unauthenticated arbitrary file download in the WPC Product Options for WooCommerce WordPress plugin (versions ≤ 3.2.1) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials. The flaw is a classic path traversal (CWE-22) reachable over the network at low complexity, and while no public exploit identified at time of analysis, the disclosure by Patchstack and trivial attack profile make opportunistic scanning likely against WooCommerce storefronts running this plugin.
Unauthenticated sensitive data exposure in the WebToffee 'WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels' WordPress plugin versions 4.9.4 and earlier allows remote attackers to retrieve protected information without credentials. The flaw, reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with confidentiality-only impact. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
SQL injection in the ELEX WordPress HelpDesk & Customer Ticketing System plugin (versions <= 3.3.6) allows authenticated users with low-privilege Subscriber accounts to inject arbitrary SQL into backend database queries. Successful exploitation results in high confidentiality impact with a scope change, enabling access to data beyond the plugin's own tables, plus limited availability impact. No public exploit identified at time of analysis, but the disclosure originates from Patchstack's WordPress plugin vulnerability program.
Unauthorized data tampering in the WPC Product Bundles for WooCommerce WordPress plugin (versions 8.5.3 and earlier) allows remote attackers to manipulate plugin state without authentication due to missing authorization checks. Reported by Patchstack, the flaw carries a CVSS 7.5 reflecting high integrity impact with no confidentiality or availability impact, and no public exploit identified at time of analysis.
Broken access control in the Montonio for WooCommerce WordPress plugin versions 10.1.2 and earlier allows remote unauthenticated attackers to perform integrity-impacting actions without proper authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is trivially reachable over the network against default deployments, with high integrity impact but no direct confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Information disclosure in the Email Marketing for WooCommerce by Omnisend WordPress plugin versions 1.18.0 and earlier allows unauthenticated remote attackers to bypass authentication controls and access protected data. The flaw is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries CVSS 7.5 driven entirely by confidentiality impact. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.
SQL injection in the Tyche Softwares 'Order Delivery Date for WooCommerce' WordPress plugin (versions up to and including 4.5.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) the flaw is network-reachable, requires no privileges or interaction, and results in a scope change with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but Patchstack tracking and the CWE-89 classification put this in a well-understood, easily weaponizable bug class for WordPress sites.
Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress (versions <= 4.7.9) permits low-privileged authenticated users at the subscriber level to invoke privileged plugin functionality without authorization, yielding high integrity impact. The CVSS vector (PR:L, I:H, AV:N, AC:L, UI:N) confirms that any logged-in subscriber can exploit this remotely without complexity or user interaction, making sites with open user registration particularly exposed. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Broken access control in the Redsys for WooCommerce Light WordPress plugin (versions up to and including 7.0.0) allows remote unauthenticated attackers to invoke privileged functionality without proper authorization checks, leading to integrity impact on payment gateway operations. The flaw stems from missing authorization (CWE-862) on plugin endpoints, and at time of analysis no public exploit was identified, though the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) makes it trivially reachable. The vulnerability was reported by Patchstack and tracked as EUVD-2026-36973.
Stored Cross-Site Scripting in the Shipment Tracker for WooCommerce WordPress plugin (versions up to and including 1.5.3.2) allows authenticated subscriber-level users to inject malicious scripts that execute in a privileged user's browser session. The CVSS scope-change flag (S:C) indicates the injected payload crosses into the administrator's browser context, enabling session hijacking, credential theft, or unauthorized admin actions. Reported by Patchstack with no public exploit code identified at time of analysis and no CISA KEV listing.
PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.
PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.
Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.
Arbitrary file deletion in Meta Box - WordPress Custom Fields Framework versions 5.11.1 and earlier exposes servers to filesystem damage through a path traversal flaw (CWE-22) accessible to WordPress Contributor-level users. By embedding traversal sequences in a crafted file deletion request, an authenticated Contributor can delete files outside the intended plugin directory, potentially reaching critical server or WordPress installation files. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis; however, the scope-changed CVSS metric indicates that impact can extend beyond the WordPress application boundary to the underlying server filesystem.
Unauthenticated SQL injection in the Feed KuantoKusta for WooCommerce Free WordPress plugin (versions n/a through 5.3) allows remote attackers to inject crafted SQL statements without prior authentication. Disclosed via Patchstack and tracked as EUVD-2026-36926, the flaw carries a CVSS 3.1 score of 9.3 with a changed scope, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, and no EPSS or KEV signal was provided in the input.
Reflected/stored cross-site scripting in the WooCommerce Product Table Lite WordPress plugin (versions ≤ 4.6.3) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of an authenticated WordPress user, including site administrators. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated attack surface combined with WordPress's broad install base makes this a meaningful risk for sites running the plugin.
Broken access control in the Event Tickets Manager for WooCommerce WordPress plugin (versions up to and including 1.5.3) allows remote unauthenticated attackers to perform restricted actions or modify data without proper authorization checks. The flaw stems from a missing authorization layer (CWE-862) on one or more plugin endpoints, making it reachable directly over HTTP by anyone who can talk to the WordPress site. No public exploit has been identified at time of analysis, but the vulnerability was reported by Patchstack and is tracked under EUVD-2026-36920.
Unauthenticated sensitive data exposure in the IDPay Payment Gateway for WooCommerce WordPress plugin (versions ≤ 2.2.5) allows remote attackers to retrieve confidential information without credentials or user interaction over the network. The flaw was reported by Patchstack and tracked as EUVD-2026-36918; no public exploit identified at time of analysis. With a CVSS 7.5 (high) score driven entirely by confidentiality impact, the issue is significant for any WooCommerce site processing payments through this Iranian payment gateway integration.
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows unauthenticated remote attackers to inject and execute arbitrary code on the host WordPress site. The CVSS 10.0 score with scope change reflects the severe impact: attackers can fully compromise the WordPress instance and potentially pivot beyond it. No public exploit identified at time of analysis, but the trivial attack vector (AV:N/AC:L/PR:N/UI:N) makes mass exploitation likely once details surface.
WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.
The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.
Iptanus File Upload WordPress plugin before version 5.1.7 allows authenticated low-privilege users to overwrite other users' uploaded files by exploiting a Time-of-Check to Time-of-Use (TOCTOU) race condition in the plugin's file deduplication logic. The flaw is conditional on the `duplicatepolicy` setting being configured to 'maintain both,' and requires winning a precise timing race between the file existence check and the write operation. No active exploitation is confirmed by CISA KEV; however, a publicly available exploit exists via WPScan, and EPSS remains negligible at 0.01%, consistent with the high attack complexity required.
Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. The flaw was reported by Wordfence and the upstream fix landed in changeset 3504922 in the WordPress plugin repository.
Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any authenticated user with Author-level access or above to overwrite or create arbitrary gallery shortcode records by supplying a user-controlled `id` parameter. The endpoint `/wp-json/meow-gallery/v1/save_shortcode` performs direct database write operations without verifying ownership of the referenced record, making this a classic CWE-639 (IDOR) pattern. No public exploit or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and wide availability of Author-level accounts in multi-contributor WordPress environments elevate real-world risk above what the CVSS 4.3 score alone suggests.
Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.
Incorrect authorization in the Pagelayer WordPress plugin (versions up to and including 2.0.9) allows authenticated attackers with Contributor-level access to inject arbitrary contact-form mail templates into post metadata via the pagelayer_save_content AJAX handler, which are subsequently consumed without privilege enforcement by the unauthenticated pagelayer_contact_submit endpoint through user-controlled post and form identifiers. The practical impact is attacker-defined control over outbound email templates dispatched from the affected site, exploitable by any registered Contributor without admin interaction. No public exploit has been identified at time of analysis, but the Wordfence advisory notes this vulnerability may be chained with CVE-2026-2442 to further amplify attacker control over outbound email behavior.
Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.
Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.
The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).
Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows unauthenticated attackers to inject arbitrary JavaScript into translated pages via the /wp-json/gptranslate/v1/request REST endpoint. Because the API key is deterministically derived as sha256(site_url) and exposed in every page's HTML as the gptApiKey JavaScript variable, any visitor can recover it and submit malicious translation payloads that execute in the browsers of subsequent visitors. No public exploit identified at time of analysis, but the exposed key makes exploitation trivial once the technique is known.
SQL injection in the WP Ticket WordPress plugin (versions up to and including 6.0.4) allows unauthenticated remote attackers to inject arbitrary SQL via the WordPress front-end search query parameter `s`, enabling extraction of sensitive database contents. The flaw stems from concatenating the unslashed search term into a UNION sub-SELECT without using `$wpdb->prepare()`. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network attack vector keeps risk meaningful on exposed sites.
Arbitrary file read in the LWS Optimize WordPress plugin (versions up to and including 3.3.19) permits authenticated users with Editor-level access or above to retrieve any file readable by the web-server process, including sensitive files such as wp-config.php. The vulnerable `combine_current_css()` function blindly trusts stylesheet href values harvested from page HTML, resolves them to absolute filesystem paths, and passes them to `file_get_contents()` without enforcing a safe-directory boundary or a `.css` extension check - a classic CWE-22 path traversal pattern. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack path is straightforward given the source code is publicly accessible in the WordPress plugin repository.
The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Cross-tenant privilege escalation in WebPros WordPress Toolkit prior to 6.11.0 (as bundled with cPanel & WHM) allows an authenticated low-privilege account holder to inject arguments into the wp-toolkit CLI and execute commands in the context of another tenant on the same shared server. With a CVSS of 9.9 and scope change, a single compromised hosting account can pivot to siblings on the same host. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.
Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allows remote unauthenticated attackers to elevate privileges on affected sites due to incorrect privilege assignment (CWE-266). With a CVSS 3.1 score of 9.8 and Patchstack-reported network-exploitable characteristics, this issue can lead to full compromise of WooCommerce-backed WordPress stores; no public exploit identified at time of analysis.
Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.
Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.
Stored XSS in the myCred WordPress plugin (versions up to and including 3.1) allows authenticated attackers holding contributor-level access or above to inject persistent JavaScript payloads via the unsanitized 'wrap' shortcode attribute in the leaderboard shortcode handler. When any user - including administrators - visits a page containing the injected shortcode, the payload executes in their browser, enabling session hijacking or privilege escalation. No public exploit or CISA KEV listing has been identified at time of analysis; fix is available in version 3.1.1 as confirmed by WordPress plugin trac changeset 3572451.
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted request
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
Unauthenticated SQL injection in the JetEngine WordPress plugin versions up to 3.8.10.1 allows remote attackers to extract database contents via the listing_load_more AJAX handler. The filtered_query parameter is deliberately excluded from the HMAC signature check to enable front-end filter integration, but meta_query row values are merged into SQL without sanitization, enabling time-based or boolean blind injection. No public exploit identified at time of analysis, though the bug was reported by Wordfence and source code locations are publicly referenced.
Remote code execution in the ACPT (Pro) - Custom Post Types Plugin for WordPress (versions through 2.0.47) allows unauthenticated remote attackers to inject and execute arbitrary code on the underlying WordPress host. The CVSS 3.1 base score of 10.0 with a scope change (S:C) indicates the flaw escapes the plugin sandbox and compromises the entire WordPress installation. No public exploit has been identified at time of analysis, but the trivial attack profile (network, no auth, no UI) makes this a high-priority patching target.
Unauthenticated arbitrary file download affects the 'WordPress & WooCommerce Scraper Plugin, Import Data from Any Site' plugin by Extendons in versions up to and including 1.0.7. Remote attackers can exploit a path traversal weakness (CWE-22) to retrieve arbitrary files from the underlying web server without any authentication, exposing sensitive data such as wp-config.php credentials. No public exploit identified at time of analysis, but the network-reachable, no-privilege CVSS profile (7.5) makes opportunistic mass-scanning by WordPress vulnerability scanners likely once disclosed.
Arbitrary file deletion in the WP Review Slider Pro WordPress plugin (versions up to and including 12.6.8) allows authenticated attackers with Subscriber-level access to delete arbitrary files on the underlying server, potentially escalating to remote code execution by removing files such as wp-config.php to trigger the WordPress setup flow. The flaw stems from missing capability checks on two AJAX handlers (wpfb_hide_review and wprp_save_review_admin) combined with a defective strpos()-based prefix check in wpfb_hidereview_ajax() that fails to neutralize path traversal sequences before calling unlink(). No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; reported by Wordfence.
Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.
Unauthenticated order sabotage in WooCommerce Stripe Payment Gateway (all versions ≤10.7.0) allows any remote attacker to force pending WooCommerce orders into a 'failed' state without owning or authenticating against those orders. The root cause is a missing authorization check on the `ajax_pay_for_order()` function: the only gate is a nonce that is publicly available on any page where Express Checkout is enabled, providing no actual access control. Exploitation is trivially automatable via sequential order ID enumeration, enabling targeted disruption of an entire store's pending transactions. No public exploit has been identified at time of analysis, and no KEV listing exists, but the attack complexity is effectively zero for stores with Express Checkout active.
Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.
Unauthorized information disclosure in the WooCommerce POS WordPress plugin (versions 1.8.14 and earlier) allows remote unauthenticated attackers to access protected resources due to missing authorization checks. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability effect, and no public exploit identified at time of analysis. The flaw was disclosed by Patchstack and aligns with CWE-862 (Missing Authorization), a common pattern in WordPress plugin endpoints that omit capability checks.
Reflected cross-site scripting in the WPFactory 'Min Max Step Quantity Limits Manager for WooCommerce' WordPress plugin (versions 5.2.2 and earlier) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser after the victim clicks a crafted link. The CVSS 3.1 score of 7.1 is elevated by a scope change (S:C), reflecting that script execution can affect the WordPress admin context, but exploitation requires user interaction (UI:R). No public exploit was identified at time of analysis and the issue is not listed in CISA KEV.
Stored Cross-Site Scripting in the WordPress 'File Sharing & Download Manager - User Private Files' plugin (all versions through 2.1.6) allows authenticated attackers with subscriber-level access to persistently inject malicious JavaScript via the 'fldr_ttl' (folder title) parameter. The payload is stored server-side and executes in the browsers of any user who subsequently visits an affected page, enabling session hijacking, credential theft, or malicious redirects. No public exploit or CISA KEV listing exists at time of analysis, but low privilege requirements (subscriber-level) expand the attacker pool significantly on sites with open registration.
Authenticated SQL injection in the WP Review Slider Pro WordPress plugin through version 12.6.8 lets Subscriber-level users append arbitrary SQL via the wpfb_find_reviews AJAX action, enabling extraction of sensitive database contents including user credentials and secrets. The flaw is reachable by any logged-in WordPress account, which on sites with open registration effectively lowers the bar to near-unauthenticated. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows any Contributor-level WordPress user to read arbitrary form submissions belonging to other users. The root cause is a missing capability check on the get_submission_content AJAX endpoint, enabling horizontal privilege escalation across all stored form entries by iterating numeric entry IDs. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is mechanically trivial for any authenticated user; sites collecting sensitive PII or business data via RTMKit forms should treat this as high operational priority despite the medium CVSS score.
SQL injection in the WP Review Slider Pro WordPress plugin (versions ≤12.6.8) allows authenticated attackers with Subscriber-level access to inject arbitrary SQL via the 'stypes' and 'slocations' JSON parameters of the wppro_get_overall_chart_data AJAX action. Because the vulnerable handler echoes the executed SQL back in its JSON response, attackers gain a built-in oracle that turns blind injection into a near-trivial database extraction primitive. No public exploit identified at time of analysis, but the very low privilege barrier on a default WordPress install makes any exposed site a realistic target.
Insecure Direct Object Reference in the Static Block WordPress plugin (versions ≤2.2) allows contributor-level authenticated users to read the full post_content of any post - including private, draft, and pending posts created by administrators - by embedding the [static_block_content id="X"] shortcode and triggering a preview. The shortcode handler in static-block.php calls get_post() with an attacker-supplied numeric ID and outputs the result without any post-status or capability verification. No public exploit code has been identified at time of analysis and this is not listed in CISA KEV, but the attack is low-complexity and requires only a standard contributor WordPress account.
Remote code execution in the Premmerce Dev Tools WordPress plugin (versions ≤ 2.0) allows authenticated users with Subscriber-level access or higher to write arbitrary PHP files into wp-content/plugins/ by injecting payloads into the premmerce_plugin_namespace POST parameter. The flaw stems from a missing authorization check in generatePluginHandler combined with unsanitized string substitution in createFromStub, enabling attackers to escape the namespace context with a semicolon and execute arbitrary PHP on the host. No public exploit identified at time of analysis, but the low privilege barrier and the high-impact CVSS 8.8 score make this a serious risk on sites with open registration.
Unauthenticated arbitrary post deletion in the Abandoned Contact Form 7 WordPress plugin (versions ≤ 2.2) allows any remote attacker to permanently erase any post, page, or custom content type from an affected site by submitting a single crafted HTTP request. The plugin's AJAX handler is registered on the `wp_ajax_nopriv_remove_abandoned` hook without capability checks or nonce validation, exposing WordPress's `wp_delete_post()` with the force-delete flag set to true to unauthenticated callers who supply any valid post ID. No confirmed active exploitation (CISA KEV) or public exploit code has been identified at time of analysis, but the trivially automatable, zero-prerequisite attack surface makes this a high-priority remediation target for any site running the vulnerable plugin version.
Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.
Unauthenticated sensitive data exposure in the Signature Add-On for WooCommerce WordPress plugin versions 2.0 and earlier allows remote attackers to retrieve protected information without credentials over the network. Reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), the issue carries a CVSS 7.5 score driven entirely by confidentiality impact. At time of analysis there is no public exploit identified and no CISA KEV listing, but the trivial attack complexity makes opportunistic scanning plausible.
Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.
Broken authentication in the Upsell Order Bump Offer for WooCommerce plugin (versions 3.1.4 and earlier) allows remote unauthenticated attackers to manipulate offer/price integrity on affected WordPress storefronts. Patchstack classifies the issue as a price manipulation vulnerability with high integrity impact, and no public exploit identified at time of analysis. The defect is reachable over the network without authentication or user interaction, making any WooCommerce store running the plugin a direct target.
Unauthenticated broken access control in the Hippoo Mobile App for WooCommerce WordPress plugin (versions 1.9.5 and earlier) allows remote attackers to access protected functionality or data without valid credentials. The flaw is reported by Patchstack and stems from missing authorization checks (CWE-862), enabling unauthenticated retrieval or manipulation of resources that should be gated behind authentication. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Unauthenticated arbitrary file download in the WPC Product Options for WooCommerce WordPress plugin (versions ≤ 3.2.1) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials. The flaw is a classic path traversal (CWE-22) reachable over the network at low complexity, and while no public exploit identified at time of analysis, the disclosure by Patchstack and trivial attack profile make opportunistic scanning likely against WooCommerce storefronts running this plugin.
Unauthenticated sensitive data exposure in the WebToffee 'WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels' WordPress plugin versions 4.9.4 and earlier allows remote attackers to retrieve protected information without credentials. The flaw, reported by Patchstack and tracked as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) with confidentiality-only impact. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
SQL injection in the ELEX WordPress HelpDesk & Customer Ticketing System plugin (versions <= 3.3.6) allows authenticated users with low-privilege Subscriber accounts to inject arbitrary SQL into backend database queries. Successful exploitation results in high confidentiality impact with a scope change, enabling access to data beyond the plugin's own tables, plus limited availability impact. No public exploit identified at time of analysis, but the disclosure originates from Patchstack's WordPress plugin vulnerability program.
Unauthorized data tampering in the WPC Product Bundles for WooCommerce WordPress plugin (versions 8.5.3 and earlier) allows remote attackers to manipulate plugin state without authentication due to missing authorization checks. Reported by Patchstack, the flaw carries a CVSS 7.5 reflecting high integrity impact with no confidentiality or availability impact, and no public exploit identified at time of analysis.
Broken access control in the Montonio for WooCommerce WordPress plugin versions 10.1.2 and earlier allows remote unauthenticated attackers to perform integrity-impacting actions without proper authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates the flaw is trivially reachable over the network against default deployments, with high integrity impact but no direct confidentiality or availability consequences. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Information disclosure in the Email Marketing for WooCommerce by Omnisend WordPress plugin versions 1.18.0 and earlier allows unauthenticated remote attackers to bypass authentication controls and access protected data. The flaw is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries CVSS 7.5 driven entirely by confidentiality impact. No public exploit identified at time of analysis, and the issue is not on CISA KEV.
Unauthenticated broken access control in the AI Product Search for WooCommerce - Motive Commerce Search WordPress plugin (versions <= 1.38.2) allows remote attackers to invoke privileged functionality without authentication, leading to data integrity tampering and significant availability impact on affected WooCommerce storefronts. Reported by Patchstack with no public exploit identified at time of analysis and no CISA KEV listing, the issue stems from missing authorization checks (CWE-862) on plugin endpoints reachable over the network with no user interaction.
SQL injection in the Tyche Softwares 'Order Delivery Date for WooCommerce' WordPress plugin (versions up to and including 4.5.1) allows unauthenticated remote attackers to inject arbitrary SQL into backend queries. Per the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L) the flaw is network-reachable, requires no privileges or interaction, and results in a scope change with high confidentiality impact and partial availability impact. No public exploit identified at time of analysis, but Patchstack tracking and the CWE-89 classification put this in a well-understood, easily weaponizable bug class for WordPress sites.
Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress (versions <= 4.7.9) permits low-privileged authenticated users at the subscriber level to invoke privileged plugin functionality without authorization, yielding high integrity impact. The CVSS vector (PR:L, I:H, AV:N, AC:L, UI:N) confirms that any logged-in subscriber can exploit this remotely without complexity or user interaction, making sites with open user registration particularly exposed. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Broken access control in the Redsys for WooCommerce Light WordPress plugin (versions up to and including 7.0.0) allows remote unauthenticated attackers to invoke privileged functionality without proper authorization checks, leading to integrity impact on payment gateway operations. The flaw stems from missing authorization (CWE-862) on plugin endpoints, and at time of analysis no public exploit was identified, though the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) makes it trivially reachable. The vulnerability was reported by Patchstack and tracked as EUVD-2026-36973.
Stored Cross-Site Scripting in the Shipment Tracker for WooCommerce WordPress plugin (versions up to and including 1.5.3.2) allows authenticated subscriber-level users to inject malicious scripts that execute in a privileged user's browser session. The CVSS scope-change flag (S:C) indicates the injected payload crosses into the administrator's browser context, enabling session hijacking, credential theft, or unauthorized admin actions. Reported by Patchstack with no public exploit code identified at time of analysis and no CISA KEV listing.
PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.
PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.
Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.
Arbitrary file deletion in Meta Box - WordPress Custom Fields Framework versions 5.11.1 and earlier exposes servers to filesystem damage through a path traversal flaw (CWE-22) accessible to WordPress Contributor-level users. By embedding traversal sequences in a crafted file deletion request, an authenticated Contributor can delete files outside the intended plugin directory, potentially reaching critical server or WordPress installation files. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis; however, the scope-changed CVSS metric indicates that impact can extend beyond the WordPress application boundary to the underlying server filesystem.
Unauthenticated SQL injection in the Feed KuantoKusta for WooCommerce Free WordPress plugin (versions n/a through 5.3) allows remote attackers to inject crafted SQL statements without prior authentication. Disclosed via Patchstack and tracked as EUVD-2026-36926, the flaw carries a CVSS 3.1 score of 9.3 with a changed scope, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, and no EPSS or KEV signal was provided in the input.
Reflected/stored cross-site scripting in the WooCommerce Product Table Lite WordPress plugin (versions ≤ 4.6.3) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of an authenticated WordPress user, including site administrators. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated attack surface combined with WordPress's broad install base makes this a meaningful risk for sites running the plugin.
Broken access control in the Event Tickets Manager for WooCommerce WordPress plugin (versions up to and including 1.5.3) allows remote unauthenticated attackers to perform restricted actions or modify data without proper authorization checks. The flaw stems from a missing authorization layer (CWE-862) on one or more plugin endpoints, making it reachable directly over HTTP by anyone who can talk to the WordPress site. No public exploit has been identified at time of analysis, but the vulnerability was reported by Patchstack and is tracked under EUVD-2026-36920.
Unauthenticated sensitive data exposure in the IDPay Payment Gateway for WooCommerce WordPress plugin (versions ≤ 2.2.5) allows remote attackers to retrieve confidential information without credentials or user interaction over the network. The flaw was reported by Patchstack and tracked as EUVD-2026-36918; no public exploit identified at time of analysis. With a CVSS 7.5 (high) score driven entirely by confidentiality impact, the issue is significant for any WooCommerce site processing payments through this Iranian payment gateway integration.
Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows unauthenticated remote attackers to inject and execute arbitrary code on the host WordPress site. The CVSS 10.0 score with scope change reflects the severe impact: attackers can fully compromise the WordPress instance and potentially pivot beyond it. No public exploit identified at time of analysis, but the trivial attack vector (AV:N/AC:L/PR:N/UI:N) makes mass exploitation likely once details surface.
WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post'. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete_backup_file and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id'. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.
The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any frontend page enqueuing its map script, unconditionally creates an administrator account and returns a magic-login URL granting interactive admin access.
The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.
The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.
Iptanus File Upload WordPress plugin before version 5.1.7 allows authenticated low-privilege users to overwrite other users' uploaded files by exploiting a Time-of-Check to Time-of-Use (TOCTOU) race condition in the plugin's file deduplication logic. The flaw is conditional on the `duplicatepolicy` setting being configured to 'maintain both,' and requires winning a precise timing race between the file existence check and the write operation. No active exploitation is confirmed by CISA KEV; however, a publicly available exploit exists via WPScan, and EPSS remains negligible at 0.01%, consistent with the high attack complexity required.
Stored cross-site scripting in the Bookly Online Scheduling and Appointment Booking System plugin for WordPress (versions through 27.2) allows remote unauthenticated attackers to inject arbitrary JavaScript via the 'bookly-customer-full-name' cookie, which is rendered without proper sanitization or output escaping. Exploitation is gated by the non-default 'Remember personal information in cookies' setting being enabled, and no public exploit identified at time of analysis. The flaw was reported by Wordfence and the upstream fix landed in changeset 3504922 in the WordPress plugin repository.
Meow Gallery plugin for WordPress (all versions through 5.4.4) exposes an unprotected REST API endpoint that permits any authenticated user with Author-level access or above to overwrite or create arbitrary gallery shortcode records by supplying a user-controlled `id` parameter. The endpoint `/wp-json/meow-gallery/v1/save_shortcode` performs direct database write operations without verifying ownership of the referenced record, making this a classic CWE-639 (IDOR) pattern. No public exploit or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and wide availability of Author-level accounts in multi-contributor WordPress environments elevate real-world risk above what the CVSS 4.3 score alone suggests.
Stored Cross-Site Scripting in the Canvas plugin for WordPress (versions ≤ 2.5.2) allows an authenticated attacker holding contributor-level access or above to inject persistent JavaScript via the unsanitized 'tag' parameter in the block-section-heading Gutenberg block. The payload is stored in the database and executes in the browser of any user who subsequently loads the compromised page, enabling session hijacking, credential theft, or malicious redirects at scale. No active exploitation is confirmed (not listed in CISA KEV), but the low privilege bar makes this a realistic threat on multi-author WordPress installations; a fix is available in version 2.5.3.
Incorrect authorization in the Pagelayer WordPress plugin (versions up to and including 2.0.9) allows authenticated attackers with Contributor-level access to inject arbitrary contact-form mail templates into post metadata via the pagelayer_save_content AJAX handler, which are subsequently consumed without privilege enforcement by the unauthenticated pagelayer_contact_submit endpoint through user-controlled post and form identifiers. The practical impact is attacker-defined control over outbound email templates dispatched from the affected site, exploitable by any registered Contributor without admin interaction. No public exploit has been identified at time of analysis, but the Wordfence advisory notes this vulnerability may be chained with CVE-2026-2442 to further amplify attacker control over outbound email behavior.
Stored cross-site scripting in the Pagelayer Drag and Drop website builder plugin for WordPress (versions up to and including 2.0.9) allows authenticated contributors to inject persistent malicious scripts via the Anchor block component. Any site visitor - including privileged administrators - who loads an injected page will execute the attacker-supplied script in their browser, enabling session token theft, credential harvesting, or privilege escalation. No public exploit code has been identified at time of analysis and this vulnerability is not listed in CISA's KEV catalog; however, the low authentication barrier (contributor-level) makes it realistically accessible on multi-author WordPress sites.
Stored Cross-Site Scripting in FooGallery WordPress plugin versions through 3.1.31 allows authenticated contributors to inject persistent JavaScript via the 'custom_attribute_key' shortcode parameter, executing against any visitor who views an affected page. The flaw combines a bypass-prone event-handler blacklist in foogallery_sanitize_javascript() - which omits handlers like 'onmouseenter' - with unescaped attribute key output in foogallery_build_container_attributes_safe(), together enabling DOM-level script injection. A patched version 3.1.32 is confirmed released; no public exploit code or CISA KEV listing has been identified at time of analysis.
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.
The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).
Stored cross-site scripting in the GPTranslate - Multilingual AI Translation WordPress plugin (versions ≤ 2.31) allows unauthenticated attackers to inject arbitrary JavaScript into translated pages via the /wp-json/gptranslate/v1/request REST endpoint. Because the API key is deterministically derived as sha256(site_url) and exposed in every page's HTML as the gptApiKey JavaScript variable, any visitor can recover it and submit malicious translation payloads that execute in the browsers of subsequent visitors. No public exploit identified at time of analysis, but the exposed key makes exploitation trivial once the technique is known.
SQL injection in the WP Ticket WordPress plugin (versions up to and including 6.0.4) allows unauthenticated remote attackers to inject arbitrary SQL via the WordPress front-end search query parameter `s`, enabling extraction of sensitive database contents. The flaw stems from concatenating the unslashed search term into a UNION sub-SELECT without using `$wpdb->prepare()`. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the unauthenticated network attack vector keeps risk meaningful on exposed sites.
Arbitrary file read in the LWS Optimize WordPress plugin (versions up to and including 3.3.19) permits authenticated users with Editor-level access or above to retrieve any file readable by the web-server process, including sensitive files such as wp-config.php. The vulnerable `combine_current_css()` function blindly trusts stylesheet href values harvested from page HTML, resolves them to absolute filesystem paths, and passes them to `file_get_contents()` without enforcing a safe-directory boundary or a `.css` extension check - a classic CWE-22 path traversal pattern. No public exploit has been identified and the vulnerability is not listed in CISA KEV, but the attack path is straightforward given the source code is publicly accessible in the WordPress plugin repository.
The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Cross-tenant privilege escalation in WebPros WordPress Toolkit prior to 6.11.0 (as bundled with cPanel & WHM) allows an authenticated low-privilege account holder to inject arguments into the wp-toolkit CLI and execute commands in the context of another tenant on the same shared server. With a CVSS of 9.9 and scope change, a single compromised hosting account can pivot to siblings on the same host. No public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Stored XSS in the Presto Player WordPress plugin (versions ≤ 4.2.0) lets authenticated contributors persist arbitrary JavaScript payloads by supplying a javascript: URI as the link_url parameter of the [presto_player_overlay] shortcode. The getOverlays() function in Shortcodes.php copies the attribute into overlay configuration without scheme validation, causing the URI to survive into the href attribute rendered by the presto-dynamic-overlay-ui Stencil.js web component; any visitor who loads the injected page triggers execution. No public exploit or CISA KEV listing has been identified at time of analysis, but the low attack complexity within the contributor-access constraint makes this a realistic risk on multi-author or membership-based WordPress installations.
Privilege escalation in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to and including 1.9.4) allows remote unauthenticated attackers to elevate privileges on affected sites due to incorrect privilege assignment (CWE-266). With a CVSS 3.1 score of 9.8 and Patchstack-reported network-exploitable characteristics, this issue can lead to full compromise of WooCommerce-backed WordPress stores; no public exploit identified at time of analysis.
Server-side request forgery in the Fediverse Embeds WordPress plugin before 1.5.8 lets any unauthenticated visitor coerce the WordPress host into issuing arbitrary outbound HTTP requests and returns the full response body to the caller, turning the site into a full-read open proxy. The flaw stems from the ftf/media-proxy REST route being registered with permission_callback => __return_true and a dead allowlist check whose result was never honored before wp_remote_get was invoked on a base64-decoded attacker-supplied URL. No public exploit identified at time of analysis, but the bug is trivial to weaponize against internal cloud metadata endpoints and intranet services from any reachable WordPress install.
Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (`ftf-fediverse-embeds-nonce`) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke `file_get_html($site_url)` with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.